| 26 | | [http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf Efficient Signature Schemes with Tight Reductions to the Diffie-Hellman Problems] Scheme 1 in this paper comes with a tight reduction to the Computational Diffie-Hellman problem, which means it is definitely at least as secure as any discrete-log-based scheme and could be more secure. It also has a good pedigree (having been suggested by David Chaum et al. in 1989 and having been proven to tightly reduce to Computational Diffie-Hellman by Katz et al. in 2003). It also has a nice short public key, which could be good for fitting it into our capability security schemes. |
| | 26 | ==== Hash-Based Digital Signatures ==== |
| | 27 | |
| | 28 | [http://www.cdc.informatik.tu-darmstadt.de/~dahmen/papers/hashbasedcrypto.pdf Hash-based Digital Signature Schemes] by Buchmann, Dahmen, and Szydlo; A survey of why it might be a good idea. |
| | 29 | |
| | 30 | [https://www.minicrypt.cdc.informatik.tu-darmstadt.de/reports/reports/REDBP08.pdf Fast Hash-Based Signatures on Constrained Devices] by Rohde, Eisenbarth, Dahmen, Buchmann, and Paar; a case study of implementing hash-based digital signatures for a 8-bit microcontroller. Their implementation had some trade-offs that we wouldn't want: it is a "key-evolving" design (the signer has to maintain state in order to avoid a security failure), it can only handle a limited number of signatures, and they spent a lot of time in key generation. Hm, I can't find this in their paper now, but I thought that last time I read it I saw that they spent more than an hour (!!) generating each key on a PC! On the other hand, the result is a digital signature scheme which is faster and arguably safer than RSA or ECDSA on their 8-bit microcontroller. |
